AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
2e17aaca2a
v8/test/mjsunit/regress/regress-crbug-1248704.js
Marja Hölttä 042e3e025b [builtins] Fix ArrayPrototypeSlice 
The bug was introduced in
https://chromium-review.googlesource.com/c/v8/v8/+/3147910 : We only
want the fast path when "start" is either missing or the number 0, not
when it's something which converts to 0.

Bug: chromium:1248704
Change-Id: I72bb8fa8a9b90a13aae216c6a8e16e7be54285fe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3157948
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76789}
2021-09-13 10:19:16 +00:00

13 lines
326 B
JavaScript
Raw Blame History

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
let evil = {
valueOf: function () {
array.length = 1;
}
};
let array = [1, 2, 3];
let newArray = array.slice(evil);
assertEquals(3, newArray.length);
Reference in New Issue View Git Blame Copy Permalink